1
00:00:00,000 --> 00:00:14,760
This is Hacker Public Radio episode 3,821 from Monday the 27th of March 2023.

2
00:00:14,760 --> 00:00:19,800
Today's show is entitled The Oh No News.

3
00:00:19,800 --> 00:00:25,480
It is hosted by some guy on the internet and is about 13 minutes long.

4
00:00:25,480 --> 00:00:28,080
It carries a clean flag.

5
00:00:28,080 --> 00:00:41,040
The summary is, oh no, news is good news.

6
00:00:41,040 --> 00:00:44,040
Hello and welcome to another episode of Hacker Public Radio.

7
00:00:44,040 --> 00:00:49,720
I'm your host, some guy on the internet, also known as Scotty and this is The Oh No News.

8
00:00:49,720 --> 00:00:51,720
Oh no!

9
00:00:51,720 --> 00:00:57,280
Go Daddy, the web hosting provider suffers multiple attacks from an advanced persistent

10
00:00:57,280 --> 00:00:58,040
threat.

11
00:00:58,040 --> 00:01:05,280
In March of 2020, a fishing attack on an employee resulted in the compromised log-in credentials

12
00:01:05,280 --> 00:01:12,760
to other employees and approximately 28,000 Go Daddy customers.

13
00:01:12,760 --> 00:01:20,320
In November of 2021, attackers stole Go Daddy source code and data related to approximately

14
00:01:20,320 --> 00:01:27,400
1.2 million Go Daddy customers by using compromised credentials, including website admin

15
00:01:27,400 --> 00:01:38,120
credentials, SFTP credentials, and private SSL keys, in December of 2022, attackers access

16
00:01:38,120 --> 00:01:44,800
Go Daddy C panel hosting servers, installed malware that redirected some customer websites

17
00:01:44,800 --> 00:01:50,160
to malicious sites.

18
00:01:50,160 --> 00:01:54,640
In short, if you're a Go Daddy customer, you need to start finding some new web hosting

19
00:01:54,640 --> 00:01:57,720
services for our next story.

20
00:01:57,720 --> 00:02:00,000
Chick-fil-A, data breach.

21
00:02:00,000 --> 00:02:01,760
Chick-fil-A suffered the data breach.

22
00:02:01,760 --> 00:02:08,480
It involved the membership numbers, mobile pay numbers, QR codes, last four digits of credit

23
00:02:08,480 --> 00:02:14,640
and debit card numbers, credits on Chick-fil-A accounts, birth days, phone numbers, and any

24
00:02:14,640 --> 00:02:17,440
addresses you may have had on file.

25
00:02:17,440 --> 00:02:20,920
So if you're a Chick-fil-A customer and you use their apps or anything like that to order

26
00:02:20,920 --> 00:02:25,920
your food, you want to go ahead and edit your account, change your password, and possibly

27
00:02:25,920 --> 00:02:28,760
remove as much of that data from there as you can.

28
00:02:28,760 --> 00:02:33,240
Do the same thing for any other restaurant apps and accounts you may use for our next

29
00:02:33,240 --> 00:02:34,240
article.

30
00:02:34,240 --> 00:02:44,800
This is just an email based scam, and it's targeting people who are looking to invest in

31
00:02:44,800 --> 00:02:52,400
well, crypto or the chatGPT, this type of fishing scam is targeting basically your name, your

32
00:02:52,400 --> 00:02:57,440
data birth address, any kind of payment information you're willing to hand over, phone

33
00:02:57,440 --> 00:03:02,200
number, contact information like email addresses, and things like that.

34
00:03:02,200 --> 00:03:06,800
If any financial information you're going to provide, and I believe specifically what's

35
00:03:06,800 --> 00:03:11,840
at credentials, I believe that's how they keep in communication with you once the scam

36
00:03:11,840 --> 00:03:12,840
begins.

37
00:03:12,840 --> 00:03:18,440
Yeah, if you're interested in playing with chatGPT, just be careful, they're launching

38
00:03:18,440 --> 00:03:20,240
new scams surrounding it.

39
00:03:20,240 --> 00:03:30,960
For our next article, a group known as Flashpoint has discovered a weakness in the password

40
00:03:30,960 --> 00:03:36,600
manager, but to be fair, it sounds like any password manager can fall for this type of

41
00:03:36,600 --> 00:03:43,000
flaw quote, cause the embedded eye frame does not have access to any content in the parent

42
00:03:43,000 --> 00:03:44,000
page.

43
00:03:44,000 --> 00:03:49,240
It can wait for input to the login farm and forward the entered credentials to a remote

44
00:03:49,240 --> 00:03:52,040
server without further user interaction.

45
00:03:52,040 --> 00:03:58,520
Close quote, so the eye frame is an HTML object, and here's a little bit of information

46
00:03:58,520 --> 00:04:04,120
I dug up from Wikipedia, an eye frame, also known as an inline frame, places another

47
00:04:04,120 --> 00:04:12,480
HTML document in a frame, unlike an object, element, an eye frame can be the target frame

48
00:04:12,480 --> 00:04:18,640
for links defined by other elements, and it can be selected by the user agent as the focus

49
00:04:18,640 --> 00:04:22,160
for printing, viewing its source and so on.

50
00:04:22,160 --> 00:04:28,160
Flashpoint points out that if you're using BitWarden with the auto fill feature turned

51
00:04:28,160 --> 00:04:34,760
on, BitWarden will simply fill the fields on the page, now if the page was compromised

52
00:04:34,760 --> 00:04:41,560
by attackers, the attackers would embed these hidden eye frames, and BitWarden will fill

53
00:04:41,560 --> 00:04:48,000
the attackers' fields as well as the legitimate ones, so when the user submits their credentials

54
00:04:48,000 --> 00:04:54,440
to the legitimate site, it would also submit the credentials to the attacker, and that's

55
00:04:54,440 --> 00:04:56,000
what it boils down to.

56
00:04:56,000 --> 00:05:01,800
That's why I'm including any password manager in this, because anyone that uses the auto

57
00:05:01,800 --> 00:05:08,520
fill feature would allow attackers to also gain access to your credentials by these hidden

58
00:05:08,520 --> 00:05:09,840
eye frames.

59
00:05:09,840 --> 00:05:15,200
So long story short, don't use auto fill, I know it's a very convenient thing to have

60
00:05:15,200 --> 00:05:20,160
where as soon as you load a page, your password manager if you're logged in would automatically

61
00:05:20,160 --> 00:05:25,960
fill the fields on the page, if you avoid using that feature which BitWarden has disabled

62
00:05:25,960 --> 00:05:31,040
by default, you have nothing to worry about, just manually fill the fields that you can

63
00:05:31,040 --> 00:05:37,480
see by copying your password and your username and pasting them into the correct field,

64
00:05:37,480 --> 00:05:39,200
you're fine, nothing to worry about.

65
00:05:39,200 --> 00:05:43,080
I'd also like to include this quick low note, I just thought about it that this may

66
00:05:43,080 --> 00:05:50,080
be more of an accessibility feature, so I understand those who may use this for a benefit,

67
00:05:50,080 --> 00:05:55,920
such as being visually impaired, having an automatic feature like this would be helpful.

68
00:05:55,920 --> 00:06:02,280
For now, if you can navigate the page using tabs to get to your credential fields and

69
00:06:02,280 --> 00:06:07,160
enter your credentials manually using keyboard shortcuts and tabs, that would be a lot

70
00:06:07,160 --> 00:06:11,440
safer for you, even though it might be slightly more inconvenient.

71
00:06:11,440 --> 00:06:14,040
A final quote from Flashpoint.

72
00:06:14,040 --> 00:06:19,920
This means an attacker hosting a fishing page under a subdomain that matches the stored

73
00:06:19,920 --> 00:06:25,560
login for the given based domain will capture the credentials upon the victim visiting

74
00:06:25,560 --> 00:06:28,840
the page without a fill enabled.

75
00:06:28,840 --> 00:06:29,840
Close quote.

76
00:06:29,840 --> 00:06:41,880
For our next story, a attacker's targeted one of four DevOps engineers with access to the

77
00:06:41,880 --> 00:06:47,080
decryption keys needed to access last pass production cloud storage services.

78
00:06:47,080 --> 00:06:48,080
Quote.

79
00:06:48,080 --> 00:06:54,520
This was accomplished by targeting the DevOps engineers home computer and exploiting a vulnerable

80
00:06:54,520 --> 00:07:00,280
third-party media software package, which enabled remote code execution capability and

81
00:07:00,280 --> 00:07:05,120
allowing the threat actor to implement key logger malware.

82
00:07:05,120 --> 00:07:10,760
The threat actor was able to capture the employee's master password as it was entered, after

83
00:07:10,760 --> 00:07:16,800
the employee authenticated with multi-factor authentication and gain access to the DevOps

84
00:07:16,800 --> 00:07:20,600
engineers last pass corporate vote.

85
00:07:20,600 --> 00:07:21,600
Close quote.

86
00:07:21,600 --> 00:07:27,400
The attacker's then exported corporate vote entries and shared folders, which contained

87
00:07:27,400 --> 00:07:35,280
encrypted secured notes, with access to decryption keys needed to access the AWS S3 last

88
00:07:35,280 --> 00:07:41,680
pass production backups, other cloud-based storage resources, and some related critical data

89
00:07:41,680 --> 00:07:43,760
base backups.

90
00:07:43,760 --> 00:07:44,760
Yikes.

91
00:07:44,760 --> 00:07:50,600
Now, the summary here, folks, I wouldn't tell you to just switch away from something that you're

92
00:07:50,600 --> 00:07:55,680
comfortable with, but if you're using last pass, it's starting to seem as though it's

93
00:07:55,680 --> 00:08:01,680
very difficult for them to get from underneath this attack, so I believe it's best for

94
00:08:01,680 --> 00:08:08,320
you the user to move on to a different password manager while last pass figures out what's

95
00:08:08,320 --> 00:08:10,200
happening with their systems.

96
00:08:10,200 --> 00:08:16,400
It's not just because of the attack while I'm offering this information to you, this suggestion,

97
00:08:16,400 --> 00:08:22,720
because eventually all of these companies last pass in any other password managers, they'll

98
00:08:22,720 --> 00:08:26,720
all eventually face an advanced persistent threat.

99
00:08:26,720 --> 00:08:31,000
And when you have such a threat on you, it's only a matter of time.

100
00:08:31,000 --> 00:08:37,840
My advice to move comes because of the policies that last pass seemed to either have a lack

101
00:08:37,840 --> 00:08:40,600
of or a lack of enforcement.

102
00:08:40,600 --> 00:08:47,400
It sounds as though the DevOps engineer was using a personal computer instead of a corporate

103
00:08:47,400 --> 00:08:50,400
computer to manage all of these secrets.

104
00:08:50,400 --> 00:08:55,840
And with a personal computer, I mean, there's no telling where he was getting a software

105
00:08:55,840 --> 00:09:01,160
or he or she, where this engineer was getting their software from, not pointing any fingers

106
00:09:01,160 --> 00:09:07,240
at any particular package managing system or distribution, however when you're working with

107
00:09:07,240 --> 00:09:13,280
the keys to everyone's kingdom, this should definitely be a division in the hardware as

108
00:09:13,280 --> 00:09:16,920
well as the software, and that was not the case here.

109
00:09:16,920 --> 00:09:22,920
So until last pass can prove that they've gotten their act together policy and procedurally,

110
00:09:22,920 --> 00:09:28,120
I believe it is safer for you the user to simply move away from this password manager.

111
00:09:28,120 --> 00:09:29,440
Here's some options for you.

112
00:09:29,440 --> 00:09:33,800
You don't have to select these, but just options that you can look at in the time being.

113
00:09:33,800 --> 00:09:40,680
You can try key pass xc, bit warden, or any of the other open source options that are available

114
00:09:40,680 --> 00:09:41,680
to you.

115
00:09:41,680 --> 00:09:45,360
Also, you're going to definitely want to go through each of your accounts that you

116
00:09:45,360 --> 00:09:51,080
store in last pass and begin changing all of your passwords for those accounts as well

117
00:09:51,080 --> 00:09:56,960
as updating your multi-factor authentication, any accounts without multi-factor authentication

118
00:09:56,960 --> 00:09:59,640
you definitely want to enable it.

119
00:09:59,640 --> 00:10:05,760
Let's switch over to user space.

120
00:10:05,760 --> 00:10:10,720
I've been keeping an eye on the flat hub, checking out the new beta, and man I've got some wonderful

121
00:10:10,720 --> 00:10:11,720
features coming up.

122
00:10:11,720 --> 00:10:17,160
I want you to keep in mind that all of this is just projections with their hoping to add,

123
00:10:17,160 --> 00:10:25,600
they're planning to add direct uploads, verified apps, a payment support system for the

124
00:10:25,600 --> 00:10:33,320
flat hub website, now right now the Genome Foundation is sort of managing the whole thing,

125
00:10:33,320 --> 00:10:38,320
and that's a problem for them because of the way the Genome Foundation is structured.

126
00:10:38,320 --> 00:10:44,800
So part of the plan is to establish an independent legal entity to own an operator flat

127
00:10:44,800 --> 00:10:45,800
hub.

128
00:10:45,800 --> 00:10:53,440
So far, the Genome Foundation has acted as an incubator and legal host for flat hub, even though

129
00:10:53,440 --> 00:11:00,080
it is not purely a Genome product or initiative, distributing software to end users along

130
00:11:00,080 --> 00:11:06,200
with processing and forwarding payments and donations also has a different legal profile

131
00:11:06,200 --> 00:11:11,680
in terms of risk exposure and nonprofit compliance, then the current activities of the

132
00:11:11,680 --> 00:11:13,280
Genome Foundation.

133
00:11:13,280 --> 00:11:19,040
Consequently, we plan to establish an independent legal entity in order to operate the flat

134
00:11:19,040 --> 00:11:22,560
hub which reduces risk to the Genome Foundation.

135
00:11:22,560 --> 00:11:27,920
This better reflects the independent and cross desktop interest of flat hub, and provides

136
00:11:27,920 --> 00:11:32,240
flexibility in the future should we need to change the structure.

137
00:11:32,240 --> 00:11:37,880
We're currently in a process of reviewing legal advice to ensure we have the right structure

138
00:11:37,880 --> 00:11:40,080
in place before moving forward.

139
00:11:40,080 --> 00:11:52,440
Close quote The plan is also to raise $250,000 in funding in sponsorships.

140
00:11:52,440 --> 00:12:00,120
The Enlistment Work provided a $100,000 grant toward the infrastructure, legal, and operation

141
00:12:00,120 --> 00:12:02,600
costs of running the flat hub.

142
00:12:02,600 --> 00:12:07,360
In the next round of funding and development, hiring a second full-time staff member in

143
00:12:07,360 --> 00:12:12,520
addition to, and I don't want to butcher the name here, there's a name in there.

144
00:12:12,520 --> 00:12:15,400
I think I could say the last name, Piotrowski.

145
00:12:15,400 --> 00:12:17,800
Sorry if I got that wrong.

146
00:12:17,800 --> 00:12:26,640
To handle inquiries, reviews, documentation, and partner outreach, the plan will also include

147
00:12:26,640 --> 00:12:33,840
establishing governance to oversee the project, and start a flat hub focus group for feedback

148
00:12:33,840 --> 00:12:34,840
from devs.

149
00:12:34,840 --> 00:12:38,160
Now, I also want to talk security just for a moment here.

150
00:12:38,160 --> 00:12:39,720
I got a call for you.

151
00:12:39,720 --> 00:12:44,880
For flat hub to succeed, we need to make sure that as we grow, we continue to be the

152
00:12:44,880 --> 00:12:51,280
flat farm that can give users confidence in the quality and security of the apps we offer.

153
00:12:51,280 --> 00:12:57,000
At that end, we are planning to set up infrastructure to help ensure developers are shipping

154
00:12:57,000 --> 00:13:01,000
the best products they possibly can to users.

155
00:13:01,000 --> 00:13:07,200
For example, we'd like to set up automated, linting, and security scanning on the flat hub

156
00:13:07,200 --> 00:13:14,120
back end to help developers avoid bad practices on necessary sandboxing permissions, outdated

157
00:13:14,120 --> 00:13:20,400
dependencies, et cetera, and keep users informed and as secure as possible.

158
00:13:20,400 --> 00:13:22,040
Close quote.

159
00:13:22,040 --> 00:13:32,800
All right, ladies and gentlemen, this concludes another episode of the Oh No News.

160
00:13:32,800 --> 00:13:35,920
Let me know what you think about this show notes and everything I'm playing around with

161
00:13:35,920 --> 00:13:37,480
different formats.

162
00:13:37,480 --> 00:13:43,360
Trying to provide you the most information and not draw out certain articles too long,

163
00:13:43,360 --> 00:13:46,960
so the formats constantly being massaged.

164
00:13:46,960 --> 00:13:53,040
I'd like to see your comments, maybe do a show as a response, or hit me up over in Matrix.

165
00:13:53,040 --> 00:13:54,920
I'm also on MasterDog.

166
00:13:54,920 --> 00:13:57,080
Thank you guys for coming by HPR.

167
00:13:57,080 --> 00:14:25,840
Good day.

168
00:14:25,840 --> 00:14:32,440
On the side of our status, today's show is released on our Creative Commons, attribution

169
00:14:32,440 --> 00:14:55,200
4.0 International License.